diff --git a/authorization/middleware.go b/authorization/middleware.go
new file mode 100644
index 0000000..73511a8
--- /dev/null
+++ b/authorization/middleware.go
@@ -0,0 +1,60 @@
+package authorization
+
+import (
+	"net/http"
+
+	"github.com/Sirupsen/logrus"
+	"golang.org/x/net/context"
+)
+
+// Middleware uses a list of plugins to
+// handle authorization in the API requests.
+type Middleware struct {
+	plugins []Plugin
+}
+
+// NewMiddleware creates a new Middleware
+// with a slice of plugins.
+func NewMiddleware(p []Plugin) Middleware {
+	return Middleware{
+		plugins: p,
+	}
+}
+
+// WrapHandler returns a new handler function wrapping the previous one in the request chain.
+func (m Middleware) WrapHandler(handler func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error) func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+	return func(ctx context.Context, w http.ResponseWriter, r *http.Request, vars map[string]string) error {
+
+		user := ""
+		userAuthNMethod := ""
+
+		// Default authorization using existing TLS connection credentials
+		// FIXME: Non trivial authorization mechanisms (such as advanced certificate validations, kerberos support
+		// and ldap) will be extracted using AuthN feature, which is tracked under:
+		// https://github.com/docker/docker/pull/20883
+		if r.TLS != nil && len(r.TLS.PeerCertificates) > 0 {
+			user = r.TLS.PeerCertificates[0].Subject.CommonName
+			userAuthNMethod = "TLS"
+		}
+
+		authCtx := NewCtx(m.plugins, user, userAuthNMethod, r.Method, r.RequestURI)
+
+		if err := authCtx.AuthZRequest(w, r); err != nil {
+			logrus.Errorf("AuthZRequest for %s %s returned error: %s", r.Method, r.RequestURI, err)
+			return err
+		}
+
+		rw := NewResponseModifier(w)
+
+		if err := handler(ctx, rw, r, vars); err != nil {
+			logrus.Errorf("Handler for %s %s returned error: %s", r.Method, r.RequestURI, err)
+			return err
+		}
+
+		if err := authCtx.AuthZResponse(rw, r); err != nil {
+			logrus.Errorf("AuthZResponse for %s %s returned error: %s", r.Method, r.RequestURI, err)
+			return err
+		}
+		return nil
+	}
+}